I have a UAC test environment with an EX2200 (12.3R2.5), SRX100 (12.1X45-D15.5), and a UAC (DTE) server (4.4r6.0). The latter is connected to a Windows 2008R2 Active Directory.
I got everything working, but I keep running into a certificate error when I try to connect a Windows 7 client (with all the patches etc. up till today) with Pulse on a dot1x connected port (on the EX2200).
The certificate on the UAC is issued from an Internal CA, and this CA is set as a Trusted Root Certification Authority on all domain members.
The FQDN of the UAC is uac.lan. When I connect with a browser from the same Windows client, I get NO certificate validation errors, so the basic setup is oke.
The Pulse Connection settings for 802.1x on the UAC are configured that the client should accept ANY certificate issued by the internally trusted CA which issued the uac.lan certificate (I didn't type the ANY word, I left it blank, and ANY was automatically inserted).
The error on the Pulse client is that the server is not listed in the Truster Server listing (on the UAC I presume), but I say it is.
Everytime I try to connect the network, I get the error. Even when I check the Remember Settings button. Somehow the Pulse client won't listen to the config of the UAC, and/or the user input.
When I add a L3 connection to the UAC, the authentication goes as expected. No warnings whatsoever.
Anyone any ideas on this?
You are completely correct that it should work. Please contact JTAC and lets see if we can figure out what is wrong with Pulse L2. For some reason it is not liking your cert or thinking it matches at L2. And that makes no sense, because browser and L3 work. So please contact JTAC and lets see if we can figure out what is going on with Pulse at L2.
The only other test you could run would be to try just the windows supplicant at L2, though that doesn't solve your Pulse problem at L2. Honestly I would expect that to work. I think the issue might be related to Pulse L2 and we would want to verify that it has the cert data correctly on the client side. You might try uninstalling and reinstalling the Pulse client. Then allow the workstation to deploy the client from the IC at L3 (so you'll have all the settings configured from the IC).
I am doing this from memory but on the Win 7 - network - auth - settings - there is a tab and it has an option to "validate server certificate" - I believe that to just do straight 802.1x cert authentication you need to uncheck that option.
you are correct if I was using the native Windows dot1x supplicant. The Pulse supplicant (EAP-TTLS) doesn't have this feature. In this case, the certificate warnings option is set in the Pulse configuration on the UAC.
Will create a JTAC case for this. When a solution comes along I'll share it here.